ci(release): 修复 semantic-release 预览鉴权 by GeWuYou · Pull Request #294 · GeWuYou/GFramework

GeWuYou · 2026-04-26T03:40:54Z

修复 preview job 在 dry-run 中改用 PAT_TOKEN 并提前校验仓库访问权限
补充 preview summary 对远端 push 权限探测行为的说明
更新 semantic-release versioning 的 tracking 与 trace 恢复点和验证记录

Summary by CodeRabbit

发布说明

此版本包含内部基础设施改进，无面向用户的功能变化。

Chores
- 改进自动化发布工作流程的权限验证机制
- 增强版本发布流程的可靠性
Documentation
- 更新内部流程跟踪文档

- 修复 preview job 在 dry-run 中改用 PAT_TOKEN 并提前校验仓库访问权限 - 补充 preview summary 对远端 push 权限探测行为的说明 - 更新 semantic-release versioning 的 tracking 与 trace 恢复点和验证记录

coderabbitai · 2026-04-26T03:41:05Z

Warning

Rate limit exceeded

@GeWuYou has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 40 minutes and 20 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 40 minutes and 20 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b21ff35c-35d9-4fb3-a856-1f800c034139

📥 Commits

Reviewing files that changed from the base of the PR and between 195658a and f777cde.

📒 Files selected for processing (5)

.github/actions/validate-pat/action.yml
.github/workflows/auto-tag.yml
ai-plan/public/semantic-release-versioning/archive/todos/semantic-release-versioning-2026-04-26.md
ai-plan/public/semantic-release-versioning/todos/semantic-release-versioning-tracking.md
ai-plan/public/semantic-release-versioning/traces/semantic-release-versioning-trace.md

📝 Walkthrough

工作流程概览

此次更改更新了GitHub工作流配置以在语义发布预览执行前验证PAT_TOKEN密钥，通过增加API身份验证检查，并将预览阶段的身份验证从默认token切换为指定密钥，确保干运行期间的权限验证一致性。

变更内容

组类 / 文件	总结
工作流验证与令牌切换 `.github/workflows/auto-tag.yml`	添加`PAT_TOKEN`秘钥验证逻辑，包含GitHub API预检查和HTTP状态码检查（显式处理401/403），将语义发布预览的身份验证从`github.token`切换为`secrets.PAT_TOKEN`，更新预览摘要输出以说明使用PAT_TOKEN进行干运行权限探测。
规划文档进度更新 `ai-plan/public/semantic-release-versioning/todos/semantic-release-versioning-tracking.md`, `ai-plan/public/semantic-release-versioning/traces/semantic-release-versioning-trace.md`	将恢复点从SEMREL-RP-002推进至SEMREL-RP-003，记录预览身份验证修复的完成情况，添加已知风险说明：语义发布预览执行远程推送权限探测即使最终不会推送标签，新增构建验证步骤，更新后续操作指示要求重新运行预览作业以确认权限问题解决。

估算代码审查工作量

🎯 2 (简单) | ⏱️ ~12 分钟

可能相关的拉取请求

Feat/semantic release versioning #293：该PR同样修改.github/workflows/auto-tag.yml的语义发布预览流程以使用/验证secrets.PAT_TOKEN，改变了预览阶段的身份验证行为，与本PR直接相关。

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	标题清晰准确地总结了主要变更：修复语义版本发布预览阶段的身份验证问题，与变更集内容高度吻合。
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch feat/semantic-release-versioning

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

greptile-apps · 2026-04-26T03:43:25Z

Greptile Summary

This PR addresses the previous review concern about PAT validation only checking read access. It extracts the PAT validation into a shared composite action (.github/actions/validate-pat/action.yml) that now asserts permissions.push == true from the GitHub API response, and applies that validation to the preview job as well — which also switches from github.token to PAT_TOKEN so the semantic-release dry-run push probe uses a token with the correct write scope.

Confidence Score: 5/5

Safe to merge — the prior P1 concern about read-only PATs bypassing validation is fully addressed.

The previous open thread (push-permission not checked) is directly resolved by parsing permissions.push from the API response in the new shared composite action. Both the preview and release jobs now use this action. No new issues were introduced; remaining changes are documentation and tracking updates.

No files require special attention.

Important Files Changed

Filename	Overview
.github/actions/validate-pat/action.yml	New composite action extracts and centralises PAT validation; correctly asserts `permissions.push == true` to reject read-only tokens before semantic-release performs its `git push --dry-run`.
.github/workflows/auto-tag.yml	Preview job now validates PAT and uses `PAT_TOKEN` for `GITHUB_TOKEN`; release job refactored to use the shared composite action; both paths now enforce push-permission check.
ai-plan/public/semantic-release-versioning/todos/semantic-release-versioning-tracking.md	Tracking doc updated to `SEMREL-RP-004`, historical completed items moved to archive, current focus reflects PAT convergence and push-permission gate.
ai-plan/public/semantic-release-versioning/traces/semantic-release-versioning-trace.md	Trace doc updated to match `SEMREL-RP-004`; documents key decisions around sharing `PAT_TOKEN` and push-permission assertion.
ai-plan/public/semantic-release-versioning/archive/todos/semantic-release-versioning-2026-04-26.md	New archive file; moves stable historical milestone records out of the active tracking document for readability.

Sequence Diagram

sequenceDiagram
    actor Maintainer
    participant GH as GitHub Actions
    participant ValidatePAT as validate-pat composite
    participant GHAPI as GitHub API
    participant SR as semantic-release

    Maintainer->>GH: workflow_dispatch on main

    rect rgb(220, 240, 255)
        Note over GH: preview job (dry-run)
        GH->>ValidatePAT: pat-token input
        ValidatePAT->>GHAPI: GET /repos/owner/repo with auth header
        GHAPI-->>ValidatePAT: HTTP 200 plus permissions object
        alt permissions.push is false or absent
            ValidatePAT-->>GH: exit 1 - lacks push permission
        else permissions.push is true
            ValidatePAT-->>GH: validation passed
        end
        GH->>SR: dry_run=true
        SR-->>GH: next_version and release_notes
        GH->>GH: Write preview summary
    end

    Maintainer->>GH: Approve release-approval environment gate

    rect rgb(220, 255, 220)
        Note over GH: release job (real push)
        GH->>ValidatePAT: pat-token input
        ValidatePAT->>GHAPI: GET /repos/owner/repo with auth header
        GHAPI-->>ValidatePAT: HTTP 200 plus permissions.push=true
        ValidatePAT-->>GH: validation passed
        GH->>SR: dry_run=false
        SR-->>GH: tag created and release published
        GH->>GH: Write release summary
    end

_{Reviews (2): Last reviewed commit: "ci(release): 收敛 PAT 校验并归档迁移跟踪" | Re-trigger Greptile}

github-actions · 2026-04-26T03:43:37Z

Summary

Tests 📝	Passed ✅	Failed ❌	Skipped ⏭️	Other ❓	Flaky 🍂	Duration ⏱️
2156	2156	0	0	0	0	36.8s ↓326ms

Test Results

2156 passed

Details

2156 tests
36.8s ↓326ms
nunit
CI - Build & Test build-and-test #984
ci(release): 修复 semantic-release 预览鉴权 #294

Insights

Average Tests per Run	Total Flaky Tests	Total Failed	Slowest Test (p95)
2156	0	0	4.2s

build-and-test: Run #984

Tests 📝	Passed ✅	Failed ❌	Skipped ⏭️	Pending ⏳	Other ❓	Flaky 🍂	Duration ⏱️
2156	2156	0	0	0	0	0	36.8s

🎉 All tests passed!

Slowest Tests

Test 📝	Results 📊	Duration (avg) ⏱️	Duration (p95) ⏱️
SendRequestAsync_Should_ResolveCqrsRuntime_OnlyOnce_When_AccessedConcurrently	3	4.0s	4.2s
Does_Not_Report_When_FieldInjectedModel_Is_Registered	3	2.2s	2.3s
Generates_Scene_Behavior_Boilerplate	3	1.9s	2.0s
CleanupDuringAcquire_Should_NotCauseRaceCondition	3	1.1s	1.1s
Append_ShouldNotBlock	3	1.0s	1.0s
Context_Caching_Should_Improve_Performance	3	777ms	783ms
PendingCount_ShouldReflectQueuedEntries	3	501ms	501ms
Cleanup_Should_NotRemoveActiveLocks	3	404ms	405ms
Cleanup_Should_RemoveUnusedLocks	3	401ms	402ms
Generates_Precise_Assembly_Type_Lookups_For_Inaccessible_External_Protected_Types	3	334ms	337ms

_{± Comparison with run #983 at b4669ca | 🎉 No failed tests detected across all runs. | 🍂 No flaky tests detected across all runs. | ⏱️ Measured over 3 runs.}

Github Test Reporter by CTRF 💚

coderabbitai

Actionable comments posted: 1

🧹 Nitpick comments (4)

.github/workflows/auto-tag.yml (2)
42-49: 建议清理临时文件

response_file="$(mktemp)" 未在脚本退出时删除。GitHub Actions runner 会随作业销毁，影响有限，但加一个 trap 'rm -f "${response_file}"' EXIT 更稳妥，也避免错误路径下日志混入 mktemp 残留路径的疑惑。
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/auto-tag.yml around lines 42 - 49, The script creates a
temporary file with response_file="$(mktemp)" but never removes it; add a
cleanup trap to delete that temp file on exit (e.g., use trap 'rm -f
"${response_file}"' EXIT) immediately after creating response_file so any exit
path removes the file; ensure the trap references the same variable name
(response_file) and is set before any commands that might exit early (including
the curl call).
32-64: 重复的 PAT 校验脚本可抽离复用

preview 与 release（行 132–164）中两段 Validate PAT token 脚本逻辑完全一致，建议抽成 composite action（如 .github/actions/validate-pat/action.yml）或 reusable workflow，避免后续修改两处错位。当前 chill 模式可作为后续清理项。
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/auto-tag.yml around lines 32 - 64, The "Validate PAT
token" step (named "Validate PAT token" using env PAT_TOKEN and REPO_API_URL and
the curl/status_code case block) is duplicated; extract the shell logic into a
composite action (e.g. .github/actions/validate-pat/action.yml) or a reusable
workflow that accepts PAT_TOKEN and REPO_API_URL as inputs, preserve the same
behavior (mktemp response_file, curl with headers, status_code handling
200/401|403|* and same exit codes), then replace both in-workflow blocks
(preview and release) with a single uses: reference to that action and pass the
PAT_TOKEN secret and any needed envs so the validation is identical.
ai-plan/public/semantic-release-versioning/todos/semantic-release-versioning-tracking.md (2)
33-70: "已完成" 列表持续累积，建议按规范归档历史细节

已完成 部分已经包含从 Phase 1 初始迁移、PR review 修复，到本轮 preview 鉴权修复在内的多轮细节，正逐步演变为 append-only changelog。按规范，活跃的 tracking 文件应保持精简、便于 boot 快速定位当前恢复点；建议将早期已稳定的完成项（例如 35-58 行涵盖的初始迁移与上一轮 PR review 修复）迁移到归档文件，并在此处仅留指针。

As per coding guidelines: "When completed and validated stages begin to accumulate, contributors MUST archive their detailed history out of the active todos/ and traces/ entry files in the same change, keeping only the current recovery point, active facts, active risks, immediate next step, and pointers to archive files".
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In
`@ai-plan/public/semantic-release-versioning/todos/semantic-release-versioning-tracking.md`
around lines 33 - 70, The "已完成" section in
semantic-release-versioning-tracking.md has become an append-only changelog;
move early/stabilized entries (the historical items currently cluttering lines
~35-58 describing initial migration and PR review fixes) into a dated archive
file (e.g., semantic-release-versioning-archive-YYYYMMDD.md) and replace them
here with a single concise pointer line plus a 1–2 sentence current recovery
point summary; update the active file's "已完成" to only include the minimal
current facts, active risks, immediate next step, and a link/reference to the
new archive, and ensure any references in AGENTS.md or workflow docs still point
to the archive if needed.
99-104: 重复的 dotnet build GFramework.sln -c Release 验证条目

行 99-101 与新增的 102-104 是同一条命令的两次结果记录，且结论一致（639 warning / 0 error，基线一致）。继续保留两条会让活跃验证清单越拉越长。建议合并为一条并在备注中体现"preview 鉴权修复后已复验，结果与基线一致"。
♻️ 参考改写
 - `dotnet build GFramework.sln -c Release`
   - 结果：通过
-  - 备注：Release 构建完成，`639 warning / 0 error`；warning 为仓库既有基线，与本轮 workflow / doc 改动无新增关联项
-- `dotnet build GFramework.sln -c Release`（preview 鉴权修复后复验）
-  - 结果：通过
-  - 备注：Release 构建完成，`639 warning / 0 error`；warning 基线与修复前一致,本轮仅涉及 workflow / `ai-plan` 变更
+  - 备注：Release 构建通过，`639 warning / 0 error`，warning 为仓库既有基线；preview 鉴权修复后已复验，结果与基线一致
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In
`@ai-plan/public/semantic-release-versioning/todos/semantic-release-versioning-tracking.md`
around lines 99 - 104, There are duplicate validation entries for the same
command `dotnet build GFramework.sln -c Release`; remove the redundant second
block and merge them into a single entry that states the build result (`639
warning / 0 error`) and in the remark note that the build was re-verified after
the preview auth fix and remained consistent with the existing warning baseline;
update the remark text to something like "Release build: 639 warning / 0 error —
reverified after preview auth fix, baseline unchanged" and delete the extra
repeated bullet.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/auto-tag.yml:
- Around line 32-64: The current PAT validation uses a GET to "${REPO_API_URL}"
which only checks read access (via curl and status_code) and can falsely succeed
for tokens without push permission; change the check to verify write/admin
permission by either calling the collaborators permission endpoint for the token
owner (e.g., GET /repos/{owner}/{repo}/collaborators/{user}/permission using
PAT_TOKEN and inspect the returned permission for "write" or "admin") or perform
an actual git-based probe that mirrors semantic-release behavior (e.g., run git
ls-remote and a safe git push --dry-run to a harmless ref) and fail if
permission is insufficient; ensure you still surface response details
(response_file) on errors and preserve the existing exit/error handling logic
around PAT_TOKEN, status_code and the case branches.

---

Nitpick comments:
In @.github/workflows/auto-tag.yml:
- Around line 42-49: The script creates a temporary file with
response_file="$(mktemp)" but never removes it; add a cleanup trap to delete
that temp file on exit (e.g., use trap 'rm -f "${response_file}"' EXIT)
immediately after creating response_file so any exit path removes the file;
ensure the trap references the same variable name (response_file) and is set
before any commands that might exit early (including the curl call).
- Around line 32-64: The "Validate PAT token" step (named "Validate PAT token"
using env PAT_TOKEN and REPO_API_URL and the curl/status_code case block) is
duplicated; extract the shell logic into a composite action (e.g.
.github/actions/validate-pat/action.yml) or a reusable workflow that accepts
PAT_TOKEN and REPO_API_URL as inputs, preserve the same behavior (mktemp
response_file, curl with headers, status_code handling 200/401|403|* and same
exit codes), then replace both in-workflow blocks (preview and release) with a
single uses: reference to that action and pass the PAT_TOKEN secret and any
needed envs so the validation is identical.

In
`@ai-plan/public/semantic-release-versioning/todos/semantic-release-versioning-tracking.md`:
- Around line 33-70: The "已完成" section in
semantic-release-versioning-tracking.md has become an append-only changelog;
move early/stabilized entries (the historical items currently cluttering lines
~35-58 describing initial migration and PR review fixes) into a dated archive
file (e.g., semantic-release-versioning-archive-YYYYMMDD.md) and replace them
here with a single concise pointer line plus a 1–2 sentence current recovery
point summary; update the active file's "已完成" to only include the minimal
current facts, active risks, immediate next step, and a link/reference to the
new archive, and ensure any references in AGENTS.md or workflow docs still point
to the archive if needed.
- Around line 99-104: There are duplicate validation entries for the same
command `dotnet build GFramework.sln -c Release`; remove the redundant second
block and merge them into a single entry that states the build result (`639
warning / 0 error`) and in the remark note that the build was re-verified after
the preview auth fix and remained consistent with the existing warning baseline;
update the remark text to something like "Release build: 639 warning / 0 error —
reverified after preview auth fix, baseline unchanged" and delete the extra
repeated bullet.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: dde1e090-1a6e-4da6-8b51-dc415d1d8d52

📥 Commits

Reviewing files that changed from the base of the PR and between 524d54d and 195658a.

📒 Files selected for processing (3)

.github/workflows/auto-tag.yml
ai-plan/public/semantic-release-versioning/todos/semantic-release-versioning-tracking.md
ai-plan/public/semantic-release-versioning/traces/semantic-release-versioning-trace.md

📜 Review details

⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

GitHub Check: Analyze (C#)
GitHub Check: Code Quality & Security
GitHub Check: Build and Test

🧰 Additional context used

📓 Path-based instructions (2)

ai-plan/public/*/traces/**

📄 CodeRabbit inference engine (AGENTS.md)

Contributors MUST maintain a matching execution trace under ai-plan/public/<topic>/traces/ for complex work, recording the current date, key decisions, validation milestones, and the immediate next step

Files:

ai-plan/public/semantic-release-versioning/traces/semantic-release-versioning-trace.md

ai-plan/public/*/todos/**

📄 CodeRabbit inference engine (AGENTS.md)

ai-plan/public/*/todos/**: When working from a tracked implementation plan, contributors MUST update the corresponding tracking document under ai-plan/public/<topic>/todos/ in the same change
Tracking updates MUST reflect completed work, newly discovered issues, validation results, and the next recommended recovery point
Active tracking and trace files are recovery entrypoints, not append-only changelogs; they MUST stay concise enough for boot to locate the current recovery point quickly
Recovery documents MUST record the current phase, the active recovery point identifier, known risks, and the next recommended resume step so another contributor or subagent can continue the work safely
When completed and validated stages begin to accumulate, contributors MUST archive their detailed history out of the active todos/ and traces/ entry files in the same change, keeping only the current recovery point, active facts, active risks, immediate next step, and pointers to archive files
When a task spans multiple commits or is likely to exceed a single agent context window, update both the recovery document and the trace at each meaningful milestone before pausing or handing work off
If subagents are used on a complex task, the main agent MUST capture the delegated scope and any accepted findings in the active recovery document or trace before continuing implementation

Files:

ai-plan/public/semantic-release-versioning/todos/semantic-release-versioning-tracking.md

🧠 Learnings (13)

📓 Common learnings

Learnt from: CR
Repo: GeWuYou/GFramework PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-26T03:16:48.209Z
Learning: Commit messages MUST use Conventional Commits format: `<type>(<scope>): <summary>` with simplified Chinese summary and unordered list body items starting with verbs like `新增`、`修复`、`优化`